Commit Message

When the user namespace support was merged the need to prevent
ptracing an executable that is not readable was overlooked.
Correct this oversight by not letting exec succeed if during exec an
executable is not readable and the current user namespace capabilities
do not apply to the executable's file.
While it happens that distros install some files setuid and
non-readable I have not found any executable files just installed
non-readalbe. Executables that are setuid to a user not mapped in a
user namespace are worthless, so I don't expect this to introduce
any problems in practice.
There may be a way to allow this execution to happen by setting
mm->user_ns to a more privileged user namespace and watching out for
the possibility of using dynamic linkers or other shared libraries
that the kernel loads into the mm to bypass the read-only
restriction. But the analysis is more difficult and it would
require more code churn so I don't think the effort is worth it.
Cc: stable@vger.kernel.org
Reported-by: Jann Horn <jann@thejh.net>
Fixes: 9e4a36ece652 ("userns: Fail exec for suid and sgid binaries with ids outside our user namespace.")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
Tossing this out for review in case I missed something silly but this
patch seems pretty trivial.
arch/x86/ia32/ia32_aout.c | 4 +++-
fs/binfmt_aout.c | 4 +++-
fs/binfmt_elf.c | 4 +++-
fs/binfmt_elf_fdpic.c | 4 +++-
fs/binfmt_flat.c | 4 +++-
fs/exec.c | 19 ++++++++++++++++---
include/linux/binfmts.h | 6 +++++-
7 files changed, 36 insertions(+), 9 deletions(-)

Amir Goldstein <amir73il@gmail.com> writes:
>> diff --git a/fs/exec.c b/fs/exec.c>> index 6fcfb3f7b137..f724ed94ba7a 100644>> --- a/fs/exec.c>> +++ b/fs/exec.c>> @@ -1270,12 +1270,21 @@ EXPORT_SYMBOL(flush_old_exec);>>>> void would_dump(struct linux_binprm *bprm, struct file *file)>> {>> - if (inode_permission(file_inode(file), MAY_READ) < 0)>> + struct inode *inode = file_inode(file);>> + if (inode_permission(inode, MAY_READ) < 0) {>> + struct user_namespace *user_ns = current->mm->user_ns;>> bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;>> +>> + /* May the user_ns root read the executable? */>> + if (!kuid_has_mapping(user_ns, inode->i_uid) ||>> + !kgid_has_mapping(user_ns, inode->i_gid)) {>> + bprm->interp_flags |= BINPRM_FLAGS_EXEC_INACCESSIBLE;>> + }>> This feels like it should belong inside> inode_permission(file_inode(file), MAY_EXEC)> which hopefully should be checked long before getting here??
It is the active ingredient in capable_wrt_inode_uidgid and is indeed
inside of inode_permission.
What I am testing for here is if I have a process with a full
set of capabilities in current->mm->user_ns will the inode be readable.
I can see an argument for calling prepare_creds stuffing the new cred
full of capabilities. Calling override_cred. Calling inode_permission,
restoring the credentials. But it seems very much like overkill and
more error prone because of the more code involved.
So I have done the simple thing that doesn't hide what is really going on.
Eric

On Tue, Oct 18, 2016 at 2:15 PM, Eric W. Biederman
<ebiederm@xmission.com> wrote:
>> When the user namespace support was merged the need to prevent> ptracing an executable that is not readable was overlooked.
Before getting too excited about this fix, isn't there a much bigger
hole that's been there forever? Simply ptrace yourself, exec the
program, and then dump the program out. A program that really wants
to be unreadable should have a stub: the stub is setuid and readable,
but all the stub does is to exec the real program, and the real
program should have mode 0500 or similar.
ISTM the "right" check would be to enforce that the program's new
creds can read the program, but that will break backwards
compatibility.
--Andy

Andy Lutomirski <luto@amacapital.net> writes:
> On Tue, Oct 18, 2016 at 2:15 PM, Eric W. Biederman> <ebiederm@xmission.com> wrote:>>>> When the user namespace support was merged the need to prevent>> ptracing an executable that is not readable was overlooked.>> Before getting too excited about this fix, isn't there a much bigger> hole that's been there forever?
In this case it was a newish hole (2011) that the user namespace support
added that I am closing. I am not super excited but I figure it is
useful to make the kernel semantics at least as secure as they were
before.
> Simply ptrace yourself, exec the> program, and then dump the program out. A program that really wants> to be unreadable should have a stub: the stub is setuid and readable,> but all the stub does is to exec the real program, and the real> program should have mode 0500 or similar.>> ISTM the "right" check would be to enforce that the program's new> creds can read the program, but that will break backwards> compatibility.
Last I looked I had the impression that exec of a setuid program kills
the ptrace.
If we are talking about a exec of a simple unreadable executable (aka
something that sets undumpable but is not setuid or setgid). Then I
agree it should break the ptrace as well and since those programs are as
rare as hens teeth I don't see any problem with changing the ptrace behavior
in that case.
Eric

ebiederm@xmission.com (Eric W. Biederman) writes:
> Amir Goldstein <amir73il@gmail.com> writes:>>>> diff --git a/fs/exec.c b/fs/exec.c>>> index 6fcfb3f7b137..f724ed94ba7a 100644>>> --- a/fs/exec.c>>> +++ b/fs/exec.c>>> @@ -1270,12 +1270,21 @@ EXPORT_SYMBOL(flush_old_exec);>>>>>> void would_dump(struct linux_binprm *bprm, struct file *file)>>> {>>> - if (inode_permission(file_inode(file), MAY_READ) < 0)>>> + struct inode *inode = file_inode(file);>>> + if (inode_permission(inode, MAY_READ) < 0) {>>> + struct user_namespace *user_ns = current->mm->user_ns;>>> bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;>>> +>>> + /* May the user_ns root read the executable? */>>> + if (!kuid_has_mapping(user_ns, inode->i_uid) ||>>> + !kgid_has_mapping(user_ns, inode->i_gid)) {>>> + bprm->interp_flags |= BINPRM_FLAGS_EXEC_INACCESSIBLE;>>> + }>>>> This feels like it should belong inside>> inode_permission(file_inode(file), MAY_EXEC)>> which hopefully should be checked long before getting here??>> It is the active ingredient in capable_wrt_inode_uidgid and is indeed> inside of inode_permission.>> What I am testing for here is if I have a process with a full> set of capabilities in current->mm->user_ns will the inode be readable.>> I can see an argument for calling prepare_creds stuffing the new cred> full of capabilities. Calling override_cred. Calling inode_permission,> restoring the credentials. But it seems very much like overkill and> more error prone because of the more code involved.>> So I have done the simple thing that doesn't hide what is really going on.
At the same time I can see the addition of a helper function
bool ns_inode(struct user_namespace *user_ns, struct inode *inode)
{
return kuid_has_mapping(user_ns, inode->i_uid) &&
kgid_has_mapping(user_ns, inode->i_gid);
}
That abstracts out the concept instead of open codes it.
Eric

On Wed, Oct 19, 2016 at 11:52:50AM -0500, Eric W. Biederman wrote:
> Andy Lutomirski <luto@amacapital.net> writes:> > Simply ptrace yourself, exec the> > program, and then dump the program out. A program that really wants> > to be unreadable should have a stub: the stub is setuid and readable,> > but all the stub does is to exec the real program, and the real> > program should have mode 0500 or similar.> >> > ISTM the "right" check would be to enforce that the program's new> > creds can read the program, but that will break backwards> > compatibility.> > Last I looked I had the impression that exec of a setuid program kills> the ptrace.> > If we are talking about a exec of a simple unreadable executable (aka> something that sets undumpable but is not setuid or setgid). Then I> agree it should break the ptrace as well and since those programs are as> rare as hens teeth I don't see any problem with changing the ptrace behavior> in that case.
Nope. check_unsafe_exec() sets LSM_UNSAFE_* flags in bprm->unsafe, and then
the flags are checked by the LSMs and cap_bprm_set_creds() in commoncap.c.
cap_bprm_set_creds() just degrades the execution to a non-setuid-ish one,
and e.g. ptracers stay attached.
Same thing happens if the fs struct is shared with another process or if
NO_NEW_PRIVS is active.
(Actually, it's still a bit like normal setuid execution: IIRC AT_SECURE
stays active, and the resulting process still won't be dumpable, so it's
not possible for a *new* ptracer to attach afterwards. But this is just
from memory, I'm not entirely sure.)

On Wed, Oct 19, 2016 at 10:29 AM, Jann Horn <jann@thejh.net> wrote:
> On Wed, Oct 19, 2016 at 11:52:50AM -0500, Eric W. Biederman wrote:>> Andy Lutomirski <luto@amacapital.net> writes:>> > Simply ptrace yourself, exec the>> > program, and then dump the program out. A program that really wants>> > to be unreadable should have a stub: the stub is setuid and readable,>> > but all the stub does is to exec the real program, and the real>> > program should have mode 0500 or similar.>> >>> > ISTM the "right" check would be to enforce that the program's new>> > creds can read the program, but that will break backwards>> > compatibility.>>>> Last I looked I had the impression that exec of a setuid program kills>> the ptrace.>>>> If we are talking about a exec of a simple unreadable executable (aka>> something that sets undumpable but is not setuid or setgid). Then I>> agree it should break the ptrace as well and since those programs are as>> rare as hens teeth I don't see any problem with changing the ptrace behavior>> in that case.>> Nope. check_unsafe_exec() sets LSM_UNSAFE_* flags in bprm->unsafe, and then> the flags are checked by the LSMs and cap_bprm_set_creds() in commoncap.c.> cap_bprm_set_creds() just degrades the execution to a non-setuid-ish one,> and e.g. ptracers stay attached.
I think you're right. I ought to be completely sure because I rewrote
that code back in 2005 or so back when I thought kernel programming
was only for the cool kids. It was probably my first kernel patch
ever and it closed an awkward-to-exploit root hole. But it's been a
while. (Too bad my second (IIRC) kernel patch was more mundane and
fixed the mute button on "new" Lenovo X60-era laptops and spend
several years in limbo...)
--Andy

Andy Lutomirski <luto@amacapital.net> writes:
> On Wed, Oct 19, 2016 at 10:29 AM, Jann Horn <jann@thejh.net> wrote:>> On Wed, Oct 19, 2016 at 11:52:50AM -0500, Eric W. Biederman wrote:>>> Andy Lutomirski <luto@amacapital.net> writes:>>> > Simply ptrace yourself, exec the>>> > program, and then dump the program out. A program that really wants>>> > to be unreadable should have a stub: the stub is setuid and readable,>>> > but all the stub does is to exec the real program, and the real>>> > program should have mode 0500 or similar.>>> >>>> > ISTM the "right" check would be to enforce that the program's new>>> > creds can read the program, but that will break backwards>>> > compatibility.>>>>>> Last I looked I had the impression that exec of a setuid program kills>>> the ptrace.>>>>>> If we are talking about a exec of a simple unreadable executable (aka>>> something that sets undumpable but is not setuid or setgid). Then I>>> agree it should break the ptrace as well and since those programs are as>>> rare as hens teeth I don't see any problem with changing the ptrace behavior>>> in that case.>>>> Nope. check_unsafe_exec() sets LSM_UNSAFE_* flags in bprm->unsafe, and then>> the flags are checked by the LSMs and cap_bprm_set_creds() in commoncap.c.>> cap_bprm_set_creds() just degrades the execution to a non-setuid-ish one,>> and e.g. ptracers stay attached.>> I think you're right. I ought to be completely sure because I rewrote> that code back in 2005 or so back when I thought kernel programming> was only for the cool kids. It was probably my first kernel patch> ever and it closed an awkward-to-exploit root hole. But it's been a> while. (Too bad my second (IIRC) kernel patch was more mundane and> fixed the mute button on "new" Lenovo X60-era laptops and spend> several years in limbo...)
Ah yes and this is only a problem if the ptracer does not have
CAP_SYS_PTRACE.
If the tracer does not have sufficient permissions any opinions on
failing the exec or kicking out the ptracer? I am leaning towards failing
the exec as it is more obvious if someone cares. Dropping the ptracer
could be a major mystery.
Eric

On Oct 19, 2016 9:54 AM, "Eric W. Biederman" <ebiederm@xmission.com> wrote:
>> Andy Lutomirski <luto@amacapital.net> writes:>> > On Tue, Oct 18, 2016 at 2:15 PM, Eric W. Biederman> > <ebiederm@xmission.com> wrote:> >>> >> When the user namespace support was merged the need to prevent> >> ptracing an executable that is not readable was overlooked.> >> > Before getting too excited about this fix, isn't there a much bigger> > hole that's been there forever?>> In this case it was a newish hole (2011) that the user namespace support> added that I am closing. I am not super excited but I figure it is> useful to make the kernel semantics at least as secure as they were> before.>
But if it was never secure in the first place...
> > Simply ptrace yourself, exec the> > program, and then dump the program out. A program that really wants> > to be unreadable should have a stub: the stub is setuid and readable,> > but all the stub does is to exec the real program, and the real> > program should have mode 0500 or similar.> >> > ISTM the "right" check would be to enforce that the program's new> > creds can read the program, but that will break backwards> > compatibility.>> Last I looked I had the impression that exec of a setuid program kills> the ptrace.
I thought it killed the setuid, not the ptrace.
(I ought to know because I rewrote that code back in 2005 or so back when I
thought kernel programming was only for the cool kids. It was probably my
first kernel patch ever and it fixed an awkward-to-exploit race. But it's
been a while.)

On Wed, Oct 19, 2016 at 10:55 AM, Eric W. Biederman
<ebiederm@xmission.com> wrote:
> Andy Lutomirski <luto@amacapital.net> writes:>>> On Wed, Oct 19, 2016 at 10:29 AM, Jann Horn <jann@thejh.net> wrote:>>> On Wed, Oct 19, 2016 at 11:52:50AM -0500, Eric W. Biederman wrote:>>>> Andy Lutomirski <luto@amacapital.net> writes:>>>> > Simply ptrace yourself, exec the>>>> > program, and then dump the program out. A program that really wants>>>> > to be unreadable should have a stub: the stub is setuid and readable,>>>> > but all the stub does is to exec the real program, and the real>>>> > program should have mode 0500 or similar.>>>> >>>>> > ISTM the "right" check would be to enforce that the program's new>>>> > creds can read the program, but that will break backwards>>>> > compatibility.>>>>>>>> Last I looked I had the impression that exec of a setuid program kills>>>> the ptrace.>>>>>>>> If we are talking about a exec of a simple unreadable executable (aka>>>> something that sets undumpable but is not setuid or setgid). Then I>>>> agree it should break the ptrace as well and since those programs are as>>>> rare as hens teeth I don't see any problem with changing the ptrace behavior>>>> in that case.>>>>>> Nope. check_unsafe_exec() sets LSM_UNSAFE_* flags in bprm->unsafe, and then>>> the flags are checked by the LSMs and cap_bprm_set_creds() in commoncap.c.>>> cap_bprm_set_creds() just degrades the execution to a non-setuid-ish one,>>> and e.g. ptracers stay attached.>>>> I think you're right. I ought to be completely sure because I rewrote>> that code back in 2005 or so back when I thought kernel programming>> was only for the cool kids. It was probably my first kernel patch>> ever and it closed an awkward-to-exploit root hole. But it's been a>> while. (Too bad my second (IIRC) kernel patch was more mundane and>> fixed the mute button on "new" Lenovo X60-era laptops and spend>> several years in limbo...)>> Ah yes and this is only a problem if the ptracer does not have> CAP_SYS_PTRACE.>> If the tracer does not have sufficient permissions any opinions on> failing the exec or kicking out the ptracer? I am leaning towards failing> the exec as it is more obvious if someone cares. Dropping the ptracer> could be a major mystery.
I would suggest leaving it alone. Changing it could break enough
things that a sysctl would be needed, and I just don't see how this is
a significant issue, especially since it's been insecure forever.
Anyone who cares should do the stub executable trick:
/sbin/foo: 04755, literally just does execve("/sbin/foo-helper");
/sbin/foo-helper: 0500.
--Andy

Andy Lutomirski <luto@amacapital.net> writes:
> On Wed, Oct 19, 2016 at 10:55 AM, Eric W. Biederman> <ebiederm@xmission.com> wrote:>> Andy Lutomirski <luto@amacapital.net> writes:>>>>> On Wed, Oct 19, 2016 at 10:29 AM, Jann Horn <jann@thejh.net> wrote:>>>> On Wed, Oct 19, 2016 at 11:52:50AM -0500, Eric W. Biederman wrote:>>>>> Andy Lutomirski <luto@amacapital.net> writes:>>>>> > Simply ptrace yourself, exec the>>>>> > program, and then dump the program out. A program that really wants>>>>> > to be unreadable should have a stub: the stub is setuid and readable,>>>>> > but all the stub does is to exec the real program, and the real>>>>> > program should have mode 0500 or similar.>>>>> >>>>>> > ISTM the "right" check would be to enforce that the program's new>>>>> > creds can read the program, but that will break backwards>>>>> > compatibility.>>>>>>>>>> Last I looked I had the impression that exec of a setuid program kills>>>>> the ptrace.>>>>>>>>>> If we are talking about a exec of a simple unreadable executable (aka>>>>> something that sets undumpable but is not setuid or setgid). Then I>>>>> agree it should break the ptrace as well and since those programs are as>>>>> rare as hens teeth I don't see any problem with changing the ptrace behavior>>>>> in that case.>>>>>>>> Nope. check_unsafe_exec() sets LSM_UNSAFE_* flags in bprm->unsafe, and then>>>> the flags are checked by the LSMs and cap_bprm_set_creds() in commoncap.c.>>>> cap_bprm_set_creds() just degrades the execution to a non-setuid-ish one,>>>> and e.g. ptracers stay attached.>>>>>> I think you're right. I ought to be completely sure because I rewrote>>> that code back in 2005 or so back when I thought kernel programming>>> was only for the cool kids. It was probably my first kernel patch>>> ever and it closed an awkward-to-exploit root hole. But it's been a>>> while. (Too bad my second (IIRC) kernel patch was more mundane and>>> fixed the mute button on "new" Lenovo X60-era laptops and spend>>> several years in limbo...)>>>> Ah yes and this is only a problem if the ptracer does not have>> CAP_SYS_PTRACE.>>>> If the tracer does not have sufficient permissions any opinions on>> failing the exec or kicking out the ptracer? I am leaning towards failing>> the exec as it is more obvious if someone cares. Dropping the ptracer>> could be a major mystery.>> I would suggest leaving it alone. Changing it could break enough> things that a sysctl would be needed, and I just don't see how this is> a significant issue, especially since it's been insecure forever.> Anyone who cares should do the stub executable trick:>> /sbin/foo: 04755, literally just does execve("/sbin/foo-helper");>> /sbin/foo-helper: 0500.
I can't imagine what non-malware would depend on being able to
circumvent file permissions and ptrace a read-only executable. Is there
something you are thinking of?
I know I saw someone depending on read-only executables being read-only
earlier this week on the security list, and it could definitely act as
part of a counter measure to make binaries harder to exploit.
So given that people actually expect no-read permissions to be honored
on executables (with what seem valid and sensible use cases), that
I can't see any valid reason not to honor no-read permissions, that it
takes a really convoluted setup to bypass the current no-read
permissions, and that I can't believe anyone cares about the current
behavior of ptrace I think this is worth fixing.
Eric

On Oct 19, 2016 2:28 PM, "Eric W. Biederman" <ebiederm@xmission.com> wrote:
>> Andy Lutomirski <luto@amacapital.net> writes:>> > On Wed, Oct 19, 2016 at 10:55 AM, Eric W. Biederman> > <ebiederm@xmission.com> wrote:> >> Andy Lutomirski <luto@amacapital.net> writes:> >>> >>> On Wed, Oct 19, 2016 at 10:29 AM, Jann Horn <jann@thejh.net> wrote:> >>>> On Wed, Oct 19, 2016 at 11:52:50AM -0500, Eric W. Biederman wrote:> >>>>> Andy Lutomirski <luto@amacapital.net> writes:> >>>>> > Simply ptrace yourself, exec the> >>>>> > program, and then dump the program out. A program that really wants> >>>>> > to be unreadable should have a stub: the stub is setuid and readable,> >>>>> > but all the stub does is to exec the real program, and the real> >>>>> > program should have mode 0500 or similar.> >>>>> >> >>>>> > ISTM the "right" check would be to enforce that the program's new> >>>>> > creds can read the program, but that will break backwards> >>>>> > compatibility.> >>>>>> >>>>> Last I looked I had the impression that exec of a setuid program kills> >>>>> the ptrace.> >>>>>> >>>>> If we are talking about a exec of a simple unreadable executable (aka> >>>>> something that sets undumpable but is not setuid or setgid). Then I> >>>>> agree it should break the ptrace as well and since those programs are as> >>>>> rare as hens teeth I don't see any problem with changing the ptrace behavior> >>>>> in that case.> >>>>> >>>> Nope. check_unsafe_exec() sets LSM_UNSAFE_* flags in bprm->unsafe, and then> >>>> the flags are checked by the LSMs and cap_bprm_set_creds() in commoncap.c.> >>>> cap_bprm_set_creds() just degrades the execution to a non-setuid-ish one,> >>>> and e.g. ptracers stay attached.> >>>> >>> I think you're right. I ought to be completely sure because I rewrote> >>> that code back in 2005 or so back when I thought kernel programming> >>> was only for the cool kids. It was probably my first kernel patch> >>> ever and it closed an awkward-to-exploit root hole. But it's been a> >>> while. (Too bad my second (IIRC) kernel patch was more mundane and> >>> fixed the mute button on "new" Lenovo X60-era laptops and spend> >>> several years in limbo...)> >>> >> Ah yes and this is only a problem if the ptracer does not have> >> CAP_SYS_PTRACE.> >>> >> If the tracer does not have sufficient permissions any opinions on> >> failing the exec or kicking out the ptracer? I am leaning towards failing> >> the exec as it is more obvious if someone cares. Dropping the ptracer> >> could be a major mystery.> >> > I would suggest leaving it alone. Changing it could break enough> > things that a sysctl would be needed, and I just don't see how this is> > a significant issue, especially since it's been insecure forever.> > Anyone who cares should do the stub executable trick:> >> > /sbin/foo: 04755, literally just does execve("/sbin/foo-helper");> >> > /sbin/foo-helper: 0500.>> I can't imagine what non-malware would depend on being able to> circumvent file permissions and ptrace a read-only executable. Is there> something you are thinking of?
$ strace sudo foobar
or
$ strace auditctl
I find the current behavior somewhat odd, but I've taken advantage of
it on a semi-regular basis.
That being said, the "May the user_ns root read the executable?" test
in your patch is not strictly correct. Do we keep a struct cred
around for the ns root?

With everyone heading to Kernel Summit and Plumbers I put this set of
patches down temporarily. Now is the time to take it back up and to
make certain I am not missing something stupid in this set of patches.
There are other issues in this area as well, but these are the pieces
that I can see clearly, and have tested fixes for.
Andy as to your criticism about using strace sudo I can't possibly see
how that is effective or useful. Under strace sudo won't run as root
today, and will immediately exit because it is not root. Furthermore
the only place I can find non-readable executables is people hardening
suid root executables so they are more difficult to trace. So I
definitely think we should honor the unix permissions and people's
expressed wishes.
Eric W. Biederman (3):
ptrace: Capture the ptracer's creds not PT_PTRACE_CAP
exec: Don't allow ptracing an exec of an unreadable file
exec: Ensure mm->user_ns contains the execed files
fs/exec.c | 26 +++++++++++++++++++++++---
include/linux/capability.h | 2 ++
include/linux/ptrace.h | 1 -
include/linux/sched.h | 1 +
kernel/capability.c | 36 ++++++++++++++++++++++++++++++++++--
kernel/ptrace.c | 12 +++++++-----
6 files changed, 67 insertions(+), 11 deletions(-)

Hi Eric,
On Thu, Nov 17, 2016 at 11:02:47AM -0600, Eric W. Biederman wrote:
> > With everyone heading to Kernel Summit and Plumbers I put this set of> patches down temporarily. Now is the time to take it back up and to> make certain I am not missing something stupid in this set of patches.
I couldn't get your patch set to apply to any of the kernels I tried,
I manually adjusted some parts but the second one has too many rejects.
What kernel should I apply this to ? Or maybe some preliminary patches
are needed ?
Thanks,
Willy

Willy Tarreau <w@1wt.eu> writes:
> Hi Eric,>> On Thu, Nov 17, 2016 at 11:02:47AM -0600, Eric W. Biederman wrote:>> >> With everyone heading to Kernel Summit and Plumbers I put this set of>> patches down temporarily. Now is the time to take it back up and to>> make certain I am not missing something stupid in this set of patches.>> I couldn't get your patch set to apply to any of the kernels I tried,> I manually adjusted some parts but the second one has too many rejects.> What kernel should I apply this to ? Or maybe some preliminary patches> are needed ?
It is against my for-next branch, and there is one patch in there
that is significant.
The entire patchset should be at:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-next
Eric

ebiederm@xmission.com (Eric W. Biederman) writes:
> Willy Tarreau <w@1wt.eu> writes:>>> Hi Eric,>>>> On Thu, Nov 17, 2016 at 11:02:47AM -0600, Eric W. Biederman wrote:>>> >>> With everyone heading to Kernel Summit and Plumbers I put this set of>>> patches down temporarily. Now is the time to take it back up and to>>> make certain I am not missing something stupid in this set of patches.>>>> I couldn't get your patch set to apply to any of the kernels I tried,>> I manually adjusted some parts but the second one has too many rejects.>> What kernel should I apply this to ? Or maybe some preliminary patches>> are needed ?>> It is against my for-next branch, and there is one patch in there> that is significant.>> The entire patchset should be at:> git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-next
Grr. I typed too fast, the branch above is the base:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-testing
should be the entire thing.
Eric